Share this post

Link to post

kao 1,836

kao
1,836

The real OEP is standard Delphi one (find "Runtime Error at.." message and look a bit up) - boring;
It's trivial to find hardcoded password by just dumping process memory and examining strings - even more boring;
Making a proper unpacked file is not entirely trivial because the imports are redirected via few jumps - slightly entertaining.

However, in the unpackme description Modify claims to have used Confuser and DNP on a x86 executable... Apparently he has no idea what he's doing, so I wouldn't waste any time on this POS.

Link to post

Extreme Coders 402

Extreme Coders
402

In Delphi apps, the first function that is called is GetModuleHandleA. Set a HWBP, trace a few times, you will reach a position (by intuition) where you need to use the stack to find the caller. The OEP is few lines above it.

Just make sure to hide the debugger proper, before running the pycommand.

Rebuilding imports

The import table is split into three parts. Further as already said imports are redirected by jumps. The original imports can be recovered by tracing. Well not all imports can be recovered by tracing as some seem to be virtualized / emulated.

Tracing failed for 8 imports. I have checked them and those imports are all emulated. These must be recovered manually and this is where I decided to stop.

For the final step, we can add a new section to the exe. Another script would write the imported function addresses there. Next, we can use scylla, to create a new IAT, dump & fix and that should hopefully be the end.